mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 09:07:21 +01:00
feat: make bootstrapper more secure (confirm pw)
This commit is contained in:
Swarsel
parent
47b99bb39d
commit
71a9020d17
GPG key ID:
26A54C31F2A4FD84
2 changed files with 84 additions and 66 deletions
|
|
@ -2886,14 +2886,14 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
|
|||
|
||||
SOPS_FILE=".sops.yaml"
|
||||
sed -i "{
|
||||
# Remove any * and & entries for this host
|
||||
/[*&]$key_name/ d;
|
||||
# Inject a new age: entry
|
||||
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
|
||||
/age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
|
||||
# Inject a new hosts or user: entry
|
||||
/&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
|
||||
}" $SOPS_FILE
|
||||
# Remove any * and & entries for this host
|
||||
/[*&]$key_name/ d;
|
||||
# Inject a new age: entry
|
||||
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
|
||||
/age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
|
||||
# Inject a new hosts or user: entry
|
||||
/&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
|
||||
}" $SOPS_FILE
|
||||
green "Updating .sops.yaml"
|
||||
cd -
|
||||
}
|
||||
|
|
@ -2959,6 +2959,13 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
|
|||
red "Swap: X"
|
||||
fi
|
||||
|
||||
SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
|
||||
if [[ $SECUREBOOT == "true" ]]; then
|
||||
green "Secure Boot: ✓"
|
||||
else
|
||||
red "Secure Boot: X"
|
||||
fi
|
||||
|
||||
ssh_cmd="ssh -oport=${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
|
||||
# ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
|
||||
ssh_root_cmd=${ssh_cmd/${target_user}@/root@}
|
||||
|
|
@ -2994,23 +3001,27 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
|
|||
# when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
|
||||
# via the config
|
||||
if [ "$disk_encryption" -eq 1 ]; then
|
||||
green "--encryption set: Preparing a temporary password for disko."
|
||||
green "[Optional] Set disk encryption passphrase:"
|
||||
read -rs luks_passphrase
|
||||
if [ -n "$luks_passphrase" ]; then
|
||||
$ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
|
||||
else
|
||||
$ssh_root_cmd "/bin/sh -c 'echo passphrase > /tmp/disko-password'"
|
||||
fi
|
||||
else
|
||||
green "--encryption not set: Not using disk encryption.."
|
||||
while true; do
|
||||
green "Set disk encryption passphrase:"
|
||||
read -rs luks_passphrase
|
||||
green "Please confirm passphrase:"
|
||||
read -rs luks_passphrase_confirm
|
||||
if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
|
||||
$ssh_root_cmd "/bin/sh -c 'echo $luks_passphrase > /tmp/disko-password'"
|
||||
break
|
||||
else
|
||||
red "Passwords do not match"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
# ------------------------
|
||||
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
|
||||
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
|
||||
|
||||
green "Injecting initialSetup"
|
||||
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
|
||||
if [[ $SECUREBOOT == "true" ]]; then
|
||||
green "Injecting initialSetup"
|
||||
$ssh_root_cmd "sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /mnt/etc/nixos/hardware-configuration.nix"
|
||||
fi
|
||||
|
||||
mkdir -p "$FLAKE"/hosts/nixos/"$target_hostname"
|
||||
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "${git_root}"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
|
||||
|
|
@ -3034,14 +3045,17 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
|
|||
done
|
||||
|
||||
# ------------------------
|
||||
green "Setting up secure boot keys"
|
||||
$ssh_root_cmd "mkdir -p /var/lib/sbctl"
|
||||
read -ra scp_call <<< "${scp_cmd}"
|
||||
sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
|
||||
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
|
||||
# ------------------------
|
||||
green "restoring hardware-configuration"
|
||||
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
|
||||
|
||||
if [[ $SECUREBOOT == "true" ]]; then
|
||||
green "Setting up secure boot keys"
|
||||
$ssh_root_cmd "mkdir -p /var/lib/sbctl"
|
||||
read -ra scp_call <<< "${scp_cmd}"
|
||||
sudo "${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
|
||||
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
|
||||
# ------------------------
|
||||
green "restoring hardware-configuration"
|
||||
sed -i '/swarselsystems\.initialSetup = true;/d' "$git_root"/hosts/nixos/"$target_hostname"/hardware-configuration.nix
|
||||
fi
|
||||
|
||||
if [ -n "$persist_dir" ]; then
|
||||
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
|
||||
|
|
@ -3121,11 +3135,6 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
|
|||
echo
|
||||
fi
|
||||
|
||||
# # ------------------------
|
||||
# green "Enrolling secure boot keys"
|
||||
# $ssh_root_cmd "sbctl enroll-keys --microsoft"
|
||||
# ------------------------
|
||||
|
||||
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
|
||||
cd "${git_root}"
|
||||
deadnix hosts/nixos/"$target_hostname"/hardware-configuration.nix -qe
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue